Do security images such as those presented upon logging into banks provide any tangible security benefits, or are they mostly theater?

Per my understanding, if somebody is phishing your users, it's also trivial for them to proxy requests from your users to your authentic website and retrieve the security image with whatever credentials the user provides before receiving the image (e.g., the username). If this is the case, security images seem to provide no additional security, and may actually be harmful if they help convince users that a malicious website is legitimate.

4 Answers
4

Great question! As it happens, I can present experimental data on this question -- and the data is fascinating. (I noticed that some of the answers contain speculation from first principles about how much security these security images offer. However, the data turns out to have some surprises for all of us!)

Experimental methodology.
"Security images" have been evaluated in a user study, conducted with ordinary users who were asked to perform online banking in the lab. Unbeknownst to them, some of them were 'attacked' in a controlled way, to see whether they would behave securely or not and whether the security images helped or not.

The researchers evaluated two attacks:

MITM attack: The researchers simulated a man-in-the-middle attack that strips off SSL. The only visible indication of the attack is that lack of a HTTPS indicator (no HTTPS in the address bar, no lock icon, etc.).

Security image attack: The researchers simulated a phishing attack. In this attack, it looks like the users are interacting with the real bank site, except that the security image is missing. In its place, the attack places the following text:

SiteKey Maintanance Notice:
Bank of America is currently upgrading our award winning SiteKey feature. Please contact customer service if your SiteKey does not reappear within the next 24 hours.

I find this a brilliant attack. Rather than trying to figure out what security image to show to the user, don't show any security image at all, and just try to persuade the user that it's OK that there is no security image. Don't try to defeat the security system where it is strongest; just bypass the entire thing by undermining its foundation.

Anyway, the researchers then proceeded to observe how users behaved when they were attacked in these ways (without their knowledge).

Experimental results.
The results? The attacks were incredibly successful.

Not a single user avoided the MITM attack; every single one who was exposed to the MITM attack fell for it. (No one noticed that they were under attack.)

97% of those exposed to the security image attack fell for it. Only 3% (2 out of 60 participants) behaved securely and refused to log in when hit with this attack.

Conclusions.
Let me attempt to draw some lessons from this experiment.

First, security images are ineffective. They are readily defeated by very simple attack techniques.

Second, when assessing what security mechanisms will be effective, our intuitions are not reliable. Even expert security professionals can draw the wrong conclusions. For instance, look at this thread, where some folks have taken the view that security images add some security because they force the attacker to work harder and implement a MITM attack. From this experiment, we can see that this argument does not hold water. Indeed, a very simple attack (clone the website and replace the security image with a notice saying the security image feature is currently down for maintenance) is extremely successful in practice.

So, when the security of a system depends upon how users will behave, it is important to conduct rigorous experiments to evaluate how ordinary users will actually behave in real life. Our intuitions and "from-first-principles" analyses are not a substitute for data.

Third, ordinary users don't behave in the way security folks sometimes wish they would. Sometimes we talk about a protocol as "the user will do such-and-such, then the server will do thus-and-such, and if the user detects any deviation, the user will know he is under attack". But that's not how users think. Users don't have the suspicious mindset that security folks have, and security is not at the forefront of their mind. If something isn't quite right, a security expert might suspect she is under attack -- but that's usually not the first reaction of an ordinary user. Ordinary users are so used to the fact that web sites are flaky that their first reaction, upon seeing something odd or unusual, is often to shrug it off and assume that the Internet (or the web site) isn't quite working right at the moment. So, if your security mechanism relies upon users to become suspicious if certain cues are absent, it's probably on shaky grounds.

Fourth, it's not realistic to expect users to notice the absence of a security indicator, like a SSL lock icon. I'm sure we've all played "Simon Says" as a kid. The fun of the game is entirely that -- even when you know to look out for it -- it is easy to overlook the absence of the "Simon Says" cue. Now think about a SSL icon. Looking for the SSL icon is not the user's primary task, when performing online banking; instead, users typically just want to pay their bills and get the chore done so they can move on to something more useful. How much easier it is to fail to notice its absence, in those circumstances!

By the way, you might wonder how the banking industry has responded to these findings. After all, they emphasize their security images feature (under various marketing names) to users; so how have they reacted to the discovery that the security image feature is all but useless in practice? Answer: they haven't. They still use security images. And if you ask them about their response, a typical response has been something of the form "well, our users really like and appreciate the security images". This tells you something: it tells you that the security images are largely a form of security theater. They exist to make users feel good about the process, more than to actually protect against serious attacks.

References. For more details of the experiment I summarized above, read the following research paper:

+1 - Good answer. I don't think our answers are mutually exclusive. The results of the study are probably somewhat dated (~5 years) as modern browsers make https more prominent (green URLs/Trust bars) as well as HSTS. I think if repeated, more users would notice the lack of HTTPS/SSL. You still recommend SSL for passwords & banking, correct? Possibly in this environment more users would avoid the 'security image feature is down'; if it was easier to notice hey the page also lacks https at that moment. Again phishers will find and fool clueless users, though hopefully not me.
–
dr jimbobSep 5 '12 at 17:31

@drjimbob "as well as HSTS" HSTS is only effective on the exact same domain, see my-bank.com vs mybank.com vs mybank.secure-server.com.
–
curiousguySep 5 '12 at 18:19

@curiousguy - Yes. But if an attacker has redirected mybank.com to a malicious IP instead of the banks IP, and the user has visited the bank in the past ~90 days or HSTS is hard coded in the browser then this prevents that simple attack. Sure the attacker could still trick someone into clicking/typing to go to my-bank.com a completely different site which doesn't use SSL. Again, not idiot-proof but you may notice. (Or a proactive bank could purchase and enable HSTS for similar domain names).
–
dr jimbobSep 5 '12 at 18:42

I don't rate their security particularly high; but they are more than just security theater. They potentially can make the job of the attacker more difficult and the job of a security forensic experts tracking down anomolies easier.

Let's say there is no security image/phrase or equivalent. Then an man-in-the-middle attacker can construct a fake version of the website to capture credentials of unsuspecting users without any red flags popping up. (Assuming they can get the user to notice the lack of https at their bank or have installed a fradualent certificate in the users web browser).

Now, let's analyze the scheme used by my bank (ING), where whenever I register from a new browser, I first type my user name, the bank replies "Hi jim bob", please answer two (random) security questions (from a list of about 5) as you haven't used this computer before. These questions are somewhat low entropy, but still you would have to know me and my family history to get correct; or proxy these questions over to my computer. Then it shows me my security image, and asks for my password.

So now the man in the middle attack has to be active (then a fake server that's always waiting for users to give credentials that perfectly mimics a fake site). First, I may think its suspect that I have to re-enter my security questions when this is from my normal computer. Now, the MitM has to query the actual bank during the attack to first find the two random questions fetched for my account, send it back to me seemlessly and record my answers and then send back my answers to the real bank over their https connection to grab the security image.

Then the attacker either has to grab the URL of the security image or download it themselves, then upload it to their in-the-middle webserver for me to download from them. This could be suspicious if say they just fetched the URL of the security image, so a different IP viewed the security image then had established an https connection to their website for everything else. Or if the attackers downloaded it and redisplayed to me, now the attackers IP address has been exposed and they may be able to get the block/shutdown that maliciously controlled IP address.

Could it be bypassed, definitely yes. But its not just security theater and could be a helpful part of defense-in-depth along with https. The more I think of it, I think this is the main selling point. I possibly may not notice if my bank wasn't https if I'm in a rush. If prompted to re-enter my security questions; I may pause and double check that it is https with the actual bank's URL (not http or something similar).

Why bother? If they can inject javascript, then they can read the username and password tokens directly. Or are you talking about using the users selection from an array of images as an authentication step?
–
symcbeanAug 24 '12 at 11:46

1

@curiousguy - The phishing webpage doesn't know what the right image is until they're midway through the phishing attack (initiated a MitM connection with the bank to get security questions for your username; and then send back security answers) as well as a connection you (spoof the bank; capture your username, security answers). At that point they could use JS (among other methods of dynamically generating web page) to display it back to the MitM victim. However, a bank may be able to differentiate this action from one of a normal user, by analyzing http request headers or other info.
–
dr jimbobAug 24 '12 at 16:42

1

@curiousguy - This is a layer for defense-in-depth; not a replacement for HTTPS and other sensible practices. It prevents one threat; hosting a static page in a phishing attack to collect passwords that doesn't need to interact with the real bank until credentials are caught and used at the attacker's leisure. The bank could also build in subtle defenses on top of this. E.g., if the same IP has the connection to the bank and the user, the bank could conceivably check if a user registering a new computer has a webserver running that seems to be a spoofed version of their login page.
–
dr jimbobAug 24 '12 at 16:45

2

@curiousguy - I suppose it could. They would need to know WHICH security image you actually selected. It doesn't actually sound like you know how javascript works. If they already have the ability to pull YOUR security image for your bank account, then they already have ALL the information they need, to access your bank account. There is no reason to fool you more after you have provided them a username and password.
–
RamhoundSep 5 '12 at 17:52

2

@Ramhound The security image is typically keyed only by the username. You prompt for the username, use this to fetch the security image from the bank's website, and render it back to the user.
–
Stephen TousetSep 6 '12 at 3:15

It's a brave attempt to address the problem of trust. SSL is great for computers to establish trust - but pretty meaningless to people. If you can think of a better way for a site to provide proof to a non-technical user that it is what it appears to be then I'd be very interested to hear about it.

As others have said, they place another hurdle in front of phishers.

But compared with a standalone phishing site, it means that the real service provider potentially has some visibility over the activity; seeing lots of request for different users from the same address followed by either no further interation or an automated interaction should be fairly visible.

The security image has NOTHING to do with SSL. There are lots of ways to do so, and many are built into the browser, but people DO NOT pay attention because for some strange reason "computer security" is not a big concern.
–
RamhoundSep 5 '12 at 17:59

If this is the case, security images seem to provide no additional security,

Instead of pulling a static copy of the login page, now the phishers have to make a page capable of interacting with the original website.

An extreme hypothesis is that they are extremely dumb, and will retrieve the custom images with their own IP, or an IP that can be linked to them.

A less extreme dumbness hypothesis is that they will retrieve many custom images with one or a few different IP addresses, which might raise suspicion for IP addresses from ISP not known to use carrier wide NAT.

But the same "origin IP" issues exist with a phishing of the simple type, with the ordinary login/password pair: the only value of these collected data is that they can be used to log in the original website. The phishers always need a pool of "good looking" IP addresses if they don't want to raise suspicion (what a "good looking" address is depends on the webpage and its audience).

For bank phishing, the money must be transfered by "mules" to intermediate accounts. The fishers need not only IP addresses (a botnet can provide these), but also intermediate bank accounts. Real people must provide these accounts.

Phishing at a large scale certainly requires good planning, and strict security procedures, because sooner or later, the fishing operation is going to be discovered, and investigated. And when it is, the people in charge of the phishing operation certainly care about their privacy (not being found).

I don't know the exact details of such operations, but I don't believe the addition of "download the security image" is going to be a deterrent.

and may actually be harmful if they help convince users that a malicious website is legitimate.

Yes indeed.

The average likely to be victim of phishing user is unable to do the proper security evaluation of the scheme. Almost all such users will overestimate the security benefits.